PLEASE NOTE: This statement is also available to view online by clicking here.

COSTCO RECRUITMENT PRIVACY STATEMENT
COSTCO WHOLESALE UK LIMITED
The purpose of this privacy statement is to explain how we handle personal data about our job applicants and to explain the rights that they have under data protection law. In this privacy statement, we refer to this type of information as “Recruitment Data”.

This privacy statement applies to applications submitted via our Careers website (https://www.costco.co.uk/costco-opportunities) and third parties, such as recruitment agencies and job boards. It also applies to applications submitted via other means, such as by post and email.

In this privacy statement, “Costco” refers Costco Wholesale UK Limited.

What types of Recruitment Data do we collect and process?

We will only collect personal data in the recruitment process that is necessary to assess you for the post applied for and/or to keep in touch with you for future job opportunities. This may include the following categories of information:

• Information you provide in order to apply for a job vacancy with Costco, such as your name, your email address, your home address, telephone contact details, skills and a copy of your CV;
•  Information collected by Costco as a result of the recruitment process, such as your performance at interview or in other assessments and information provided by your referees;
• Information collected in order to keep in touch with you about future job opportunities at Costco, such as your name, email, LinkedIn profile, location, experience and the kind of role you are interested in.
• Information related to your use of our Careers website, for example your IP address. This information may be collected by using cookies.

We generally receive Recruitment Data either (a) directly from you (for instance when you provide information as part of your application or during the recruitment process) or (b) from third parties such as recruitment agencies, your referees, and companies conducting criminal records and drugs tests for us (see below).

For what purpose do we use Recruitment Data?
The main purposes for which we use your Recruitment Data are:

• to support and process any job applications you make to Costco. For example, so we can assess your ability to meet the job specification, in order to shortlist applicants and to verify references and professional qualifications provided by those applicants;
  
  
• to provide you with information about our current vacancies or job opportunities which you have requested. For example, where you have contacted us about current job opportunities at Costco;
• so we can learn about and improve the experience of users of the Careers website and applicants seeking to work at Costco, including equal opportunities monitoring.

What is Costco’s legal basis for processing your Recruitment Data?
Costco will only process your Recruitment Data for the purposes described above where we have a legal basis for doing so. In each case the legal basis will be one of the following:

• To decide whether to enter into a contract of employment with you: Where you have applied for a job and we need to use your Recruitment Data to determine whether we will enter into a contract of employment with you. This will be the legal basis for which we use your personal data in the majority of situations and will cover the use of your personal data from the initial application, through to interview and any other assessments.
• Where you have provided your consent: Where you have consented to us using your Recruitment Data. This may be to enable us to obtain a criminal records check, or to provide you with information about job vacancies at Costco.
• When it is in the legitimate business interests of Costco: Where it is necessary to understand our applicants in sufficient detail in order for us to deliver an effective recruitment service. For example, where the use of analytics and profiling is necessary in order to provide insights so that we can improve, maintain and manage relationships with applicants and attract talented individuals to work with us. This will be the main legal basis when using your personal data to improve the experience of users of the Careers website, as described above.
• To comply with our legal obligations: where we are subject to a legal obligation. For example, under local immigration or employment legislation.

Background Checks and Drug Testing
As part of Costco’s commitment to operating in a safe and drug-free environment, we require all successful applicants to complete a basic criminal records check and drug test before they can take up the position. All offers of employment are conditional on passing these checks. Please read the following section for more details.

If you are made a conditional offer of employment Costco, you will receive a request from our third party provider, European Background Limited, to begin a three factor verification process so that your offer can be confirmed. The purposes of these checks is to confirm: (1) that you have the right to work in the UK; (2) that there are no illegal substances in your system; and (3) that you have no unspent criminal convictions which, in Costco’s or European Background Limited’s discretion, make you unsuitable for the role.

These checks and tests are carried out by a third party, Synlab Ltd, and usually Costco does not receive anything more than a ‘Pass/Fail’ in respect of any applicant. In some circumstances, however, European Background Limited may share information about unspent criminal convictions to allow Costco to decide whether or not to confirm the offer. Should an offer be confirmed, this information will not be retained or recorded on your personnel file.

If you refuse to undertake any of these checks, you will be unable to take up the position. Consequently, if you are not willing to undertake a criminal records check or drug test, we suggest that you do not proceed with your application.

Who do we share your Recruitment Data with?
We may share your personal data within the Costco group, which consists of Costco Wholesale Corporation and a number of subsidiary companies in order to process your job application and manage the recruitment cycle. We restrict access to Recruitment Data to people within the Costco group of companies who have a “need to know” such information.

We also use third party service providers in order to conduct and manage recruitment. For example, the Careers portal on our website is provided by Workvine Limited and iintegra Limited. We may share your personal data with third parties who conduct our criminal records check and drug testing. Aside from to our suppliers, we will generally only disclose Employee Data outside Costco in the following circumstances:

• when required to do so by law;
• in response to a legitimate request for assistance by the police or other law enforcement agency; and/or
• to seek legal advice from our external lawyers or in connection with litigation with a third party.

Where does Costco store my Recruitment Data?
Costco is a multinational corporation, and uses service providers based around the world. Consequently, your Recruitment Data may be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your information than you do under local law. If we transfer personal data outside the European Economic Area we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate safeguards. Please contact us if you would like more information about these safeguards.

How long do we keep your Recruitment Data for?
We will keep your personal data for no longer than is necessary to fulfil the purpose for which it was collected. If your application is successful, your Recruitment Data will be retained as part of your personnel file. Typically, Costco will retain Recruitment Data of unsuccessful applicants for 12 months, during which time we may contact you about other opportunities with Costco. You can let us know at any time if you would prefer us not to retain your information for this purpose.

Your Rights
If you are applying for a job with Costco in the European Economic Area (including the UK), you have the right to request access to, rectification or erasure of, your Recruitment Data. You may also have the right to object to or restrict certain types of processing of your Recruitment Data and can request to receive a machine-readable copy of the Recruitment Data you have provided to Costco.

If you notice an error in your application that you would like to correct, please contact us using the contact information below.

Any request to exercise one of these rights will be assessed by Costco on a case by case basis. There may be circumstances in which we are not legally required to comply with your request because of relevant legal exemptions provided for in data protection legislation.

Contact Us

Please contact us at gdprrequests@costco.co.uk if you would like to find out more about any matters to do with this Privacy Notice.

If you have concerns about the way in which Costco has handled your personal data you have the right to complain to your local Data Protection Authority. In the UK, the Data Protection Authority is the Information Commissioner’s Office. However, if you have concerns we encourage you to raise any concerns with Costco initially.

Updates to this privacy statement
We may change this privacy statement from time to time in order to reflect changes in the law, regulatory guidance or our data privacy practices in compliance with the law. When this happens and where required by law, we will provide you with a new or an updated notice and, if necessary, obtain your consent for the further processing.

This privacy statement was last updated on 30th May 2019.

Workvine GDPR data management summary

PLEASE NOTE: This is a bullet point summary of our commitments and practices under the GDPR, the full statement can be found below.

Who are we and who sees your data

We are Workvine Ltd. We provide the software the recruiter uses to manage your application and are the primary "Data Processor" dealing with your application.

For direct recruiters, they are a "Data Controller", for agencies, depending on their recruitment practice, they may be a "Data Controller" (usually for temp role recruitment) or "Data Processor" (usually for permanent roles with an employer).

There may be other data processors involved in the process and you will be informed of their involvement. If we need to, we will ask you before providing these third parties with your data. Some third parties can be passed limited data about you without the need for consent.

• Data Controller - The Employer
• Data Processors - The people providing the software or a service to the Data Controller, including (but not limited to):
  • An Internet based applicant tracking software provider
  • Background checking services
  • Outsourced telephone interview service providers
  • Agencies providing recruitment services to the Employer

Information Gathered

When processing an application, we gather the following information as a minimum:

• Name
• E-mail address
• Postal address
• Telephone number
• (optional) Curriculum Vitae/Resume

This data is used to enable a recruiter to contact you about the vacancy you've applied to.

When you apply via a job board, sometimes, they send more information than we require. We store this extra information for auditing purposes only. This data may include prior work experience and other employment information you have provided to them in the past.

The Data Controller can ask for further information when processing your application using custom forms defined by them. Custom form data is only ever processed in relation to your application.

Consent and you

• We do not require consent before you make an application.
• The "Data Controller" only requires consent from you where they wish to process your data for reasons outside of the original reason you provided your information e.g. a reason not directly related to an application or talent pool, or passing data to a third party that processes your data for a reason that is unrelated to your application.
• We process all information provided for your application based on the consent level you set.
• Where you do not set consent, if your application progresses to a stage where consent is required, we will ask for it before proceeding.
• Any consent you give is on a per-application or per-employer basis depending on the reason for the consent.
• You can withdraw your consent at any time with no need to provide a reason.

Storing and protecting your data

• Your data is stored on servers provided by the Microsoft Azure platform in their European data centres.
• Your data is never sold for profit.
• Your data is never given to third parties without explicit permission from you except where there is a legitimate interest to do so in the process of evaluating your application. Such a third party would be a Background Checking service or similar.
• On application, if known, any third parties that will be involved in evaluating your application will be disclosed.
• Your data is stored on encrypted drives. (Encryption at rest)
• Access to your data is restricted to the Data Controller (The company recruiting for the role) and Hiring Managers associated with your applications.
• Our staff will only ever access your data if they are instructed to do so by you, the Data Controller, a legal request by a law enforcement agency or if an issue is detected with the system which requires data repair or removal.
• We will notify you of any changes made by the Data Controller to your core data including your name and contact details.
• You can always review your applications and see what data is held in full via the portal provided.
• You can export your data at any time.
• You can remove all your data at any time.

 

Complaints and requests for information

• Complaints and requests for information should in the first instance be directed to the Data Controller.
• As the Data Processor we provide tools allowing you to access and control all the data held by us for your applications using the portal provided.
• If you are unhappy with any aspect of the way in which your data is being held, you can raise the issue with us using our support portal.
• You also have the right to lodge complaints with the Information Commissioners Office.

 

For more details on any of these points, please refer to our full GDPR data management statement.

 

About your application process

There may be several stages of your application that allow us to process your data in an automated, semi-automated or manual way, each of which is described below.

Pre-Screening

You will be presented with a form that will ask specific questions relevant to your suitability for the role.

The answers to the questions will be automatically scored using rules set out by a recruiter when they created the vacancy.

If your application cannot proceed based on your answers, you are able to contact the recruiter responsible for the vacancy and request a review of your answers and the outcome using the applicant portal provided.

Under Review

If you are shortlisted for a role, all of the data collected as part of your application up to that point may be made available to one or more hiring managers who will be involved in the decision making process for your application.

In the event of your application being direct to the employer, hiring managers are typically senior staff within the same company.

If this application is via a recruitment agency or other third party agent working on behalf of an employer, the hiring managers will be senior staff from the employers organisation.

Telephone Interview

During your application, we will want to speak to you on the phone.

You may be contacted by one of our recruiters or a third party agent acting on our behalf who will want to discuss the role with you and your reasons for applying. You may also be asked some specific questions that the employer has set out for the application process.

Workvine GDPR data management statement

Introduction

Workvine Ltd ("Workvine") takes the privacy and security of your information very seriously. This policy explains how and for what purposes we use the information collected about you via the Talentvine Talent Acquisition Platform (referred to below as the “TAP”).

Please read this data management policy carefully.

For the purposes of the GDPR, Workvine is classed as a Data Processor and processes your information on behalf of the Data Controller.

If you have any queries about the policy, please get in touch with us using the contact details set out here and we will do our best to
answer your questions.

Service Providers

Workvine uses the Azure platform from Microsoft to deploy its servers. All of the servers used by the Talentvine platform are restricted to physical locations based in the European Union.

Microsoft and its employees do not have access to any data stored on the Talentvine platform. However, restricted access may be required occasionally to assist with technical issues as they arise.

Personal information collected

The TAP is configurable on a client by client basis to collect any data they deem reasonable for the purposes of recruiting individuals to
open positions that they have.

The TAP requires a minimum of information to start an application which is set out below:

• Name
• E-mail address
• Postal address
• Telephone number
• (optional) Curriculum Vitae/Resume

The TAP may be configured by the client to request additional information from you in furtherance of your application.

Use of this information

The TAP uses the information you provide to assist our client in the management of the application.

Sharing this information

Where our client requires a third party to process your data, we will make the minimal amount of information available for the process to work. Your data may be shared with a third party as part of your application process for the purposes of telephone interview, assessment or background checks.

Security

We have implemented technology and policies to safeguard your privacy from unauthorized access and improper use. We use secure sockets, currently implementing the TLS v1.2 standard to encrypt any personal information you need to input before it is sent to us.

Your password is stored as a one-way hash (a special string of characters mathematically generated using your password as a starting point) using the SHA-512 hashing algorithm which does not contain any trace of your original password. When you login, we re-calculate the hash based on the password you provide and compare it with the hash we store.

All of your data is stored within encrypted databases and on storage mediums with encryption enabled. This is typically referred to as
encryption at rest.

 

Control over your information

As the data processor, we provide services and facilities that help you to manage your data and exercise your rights according to the GDPR.

These facilities are outlined below:

 

Your right to withdraw consent

At any time, you can access your application management portal and withdraw your consent for each application individually. When you withdraw consent, your application will still be processed but under the stricter "Legitimate Interest" clauses of the GDPR.

Your right to be forgotten

In addition to the ability to withdraw your consent for individual applications, you can at any time remove either individual applications or all of your data from Talentvine in your account. When you do this, anonymised copies of your applications are retained for reporting purposes.

Your right to complain

If you are unhappy with the way your data has been handled, you have the right to complain at any time. If you wish to make a complaint, please contact our Data Protection Officer via our Support portal by emailing clientsupport@workvine.co.uk. You also have the right to lodge complaints with the Information Commissioners Office. Please visit https://ico.org.uk/concerns/ for further information or to start a live chat. Alternatively, you may call the ICO on 0303 123 1113.

How we prevent duplicate applications

When you make your application, we store a one-way hash of your e-mail address against the vacancy to which you apply in order to detect and prevent duplicate applications. This hash is not connected to your personal data and will be retained if you remove an application or your entire account.

When you apply to a vacancy, we calculate a one-way hash of the e-mail address you provide and compare the hash against any previous hashes we have stored for that vacancy. If we find a match using this technique, we prevent the application from being made.

Updates to this Notice

We review the ways we manage your information in accordance with the guidelines and legal requirements set out by the GDPR and other relevant Data Protection acts. Because of these reviews we may change how we manage and store the information collected and who we share it with. Consequently, this privacy notice may be updated from time to time.

Contact

Contact us with your views about our privacy practices, or with any enquiry relating to your personal information. You can do so by sending an e-mail to the data officer or write to us at Unit 42 The Quarters, New Street, Hinckley, LE10 1QY.

Date : 12/Feb/2018